Pokemon Go Security Risks: What CIOs and CTOs Need to Know to be Safe

Pokemon Go is nothing less than a sensation around the world right now. Apart from the game itself, Pokemon Go security risks are also taking the world by a storm. According to a real-time tracker built by AppInstitute, the game is fetching around 15,000 downloads every minute and bringing in roughly $100,000 every four minutes. On the other hand, Pokemon Go security risks are the other talk of the town with businesses and even governments getting worried about the risks involved.

In just a few weeks since its launch in app stores, Pokemon Go has been downloaded by more than 30 million smartphone users worldwide. While it’s a game and it’s meant to be fun, some security experts are warning that the risks may not be worth the reward for capturing Pikachu.

Indonesian officials have warned that ‘Pokemon Go’ is a “national security threat,” and military headquarters have banned personnel from playing the game while on duty, according to Jakarta Post.

Meanwhile, in Egypt, there is a heated debate that Pokemon Go security risks are a significant threat to national security. Ahmed Badawi, deputy head of the communication committee, urged Egyptian officials to consider banning the game because it allegedly exposes the country’s important security sites to the world.

Even in the U.S., the operations security (OPSEC) division of the U.S. government urges process intelligence officers and other government workers follow to protect unclassified information that could be used by adversaries to cause harm. In general terms, this means that everyone should be aware of what they are posting on social media, emails, in fact, anywhere in public.

Since Pokémon Go uses account information and location, it is a good enough reason why military officers and government workers should be mindful of OPSEC requirements. Six days ago, in fact, an anonymous member of the military posted to Reddit’s r/pokemongo forum to ask other servicemembers if the game presented an OPSEC concern.

Why are Pokemon Go Security Risks a Concern for CIOs and CTOs

Why should CISOs and security professionals care whether employees spend their spare time hunting Pokémon? Because every app an employee installs on a mobile device that they also use to connect to the corporate network and handle sensitive data can put an enterprise at risk.

Access to Sensitive Information

To be honest, it’s not just Pokemon Go. Many such apps are sitting on millions of devices, and they are all a threat. Most users do not check what permissions they provide to many such apps. And whenever these devices enter the enterprise network they create havoc for the CIO. Increasingly, enterprises are adopting BYOD (Bring Your Own Device) practices which open up the network to possible external threats through devices used by employees. This provides the ability for unauthorized “actors” to access the company’s networks.

According to security research firm the Ponemon Institute, roughly 69% of employees use personal devices for work purposes, which also amplifies security risks for businesses that allow employees to use corporate accounts or servers on their mobile devices.

Looking at the security permissions tied to a Pokemon Go player’s account shows that the game has “full account access” automatically. For iOS users, there’s no option to edit these permissions; the only option is to revoke access entirely.

For people playing on Android, the game doesn’t show up under Google account security permissions at all. The Google Play store includes a list of information Pokemon Go may have access to, however, including “accounts on the device” and “full network access.”

What does “full account access” mean?

It is exactly what it sounds like. When you grant full account access, the application can see and modify almost all the information in your Google account. Needless to say that such access should be provided to only those applications that we trust completely and especially those that are installed on your personal computer or device.

Adam Reeve, one of the first to report this, said that Pokémon GO was granted full access to his Google account without explicitly asking for permission. Reeve said, “And they have no need to do this – when a developer sets up the ‘Sign in with Google’ functionality they specify what level of access they want – best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.”

Note: On July 12, Niantic Labs pushed an update to the Pokémon GO app in the Apple App Store. That update, version 1.0.1, “fixed Google account scope.” Now it is accessing basic information and not full account access. Basic information includes your profile information on Google and email address.

Malicious Versions of Pokemon Go

Other Pokemon Go security risks brought to the surface is counterfeit versions of the app in markets where the app is not yet available (outside the U.S., Australia, and New Zealand). Attackers are taking advantage of this fact and continually publishing new, malicious versions of the app. Users in countries where Pokémon GO hasn’t yet officially launched may “sideload” the app from unofficial sources and put themselves at risk.

CISOs and security professionals need to establish processes and technology that give them visibility into the devices that connect to the corporate network, the apps installed on those devices, and the vulnerabilities and other risks associated with those apps. Sometimes apps that seem harmless can easily cross the line and put an enterprise at risk.

Learn how Appknox can help protect your business from security threats masked by Pokemon Go.